With the advent of non-face-to-face transactions in the areas of e-commerce, banking, gaming, etc. using online mobile devices and the associated Cloud-based services, incidents of identity theft and the associated fraudulent use of stolen users' credentials to commit crimes has escalated at an alarming rate. Such fraud has arguably risen to be the number one threat to the mass adoption of non-face-to-face electronic transaction services. Governments all over the world have enacted laws limiting the monetary levels of transactions and an adoption of worldwide “Data Protection Principles” in order to protect individuals' credentials and identities.
For online service providers it is often necessary to identify and authenticate a user or customer before granting or authorizing access to certain restricted resources or services to consummate or complete the transactions. Typically, in the prior art, users are required to present a subset of the Biographical credentials such as, passport numbers, social security numbers, driver's license numbers, Passwords, Passphrases, PIN numbers, or talk to a live agent to reveal information or Token for authentication. Typically, service providers implement their own authentication scheme with their own set of credentials. As a result, it is quite common for a user or customer to have to remember and present a plurality of such credentials to gain access to different systems or online services. From the average user's perspective, having to remember multiple passwords is extremely difficult and painful; it is also highly error prone. Forgotten user names and passwords need to be reset often which is also another source of user complaints.
The realization that authentication using only Biographical information was very inadequate for authenticating a user in an online non-face-to-face transaction, has created a need for stronger and better authentication techniques. Thus, many systems and solutions utilizing multiple biometric data such as fingerprint, facial print, voiceprint, iris scan data, eye pupil movements, etc were proposed.
Several patents were issued and others applied for, relating to identification & authentication using biometric data. Notably, are the patents issued to Parker U.S. Pat. No. 6,985,070 Kaneusky et al, IBM US Patent number 02/U.S. Pat. No. 6,421,453 B1, Paul T-Schultz patent application Ser. No. 13/407,079, Grzybouski Patent application number 2011/0145817 and Yeruchem LEVOVITZ, patent Ser. No. 13/007,629
Our invention differs from the above by requiring the simultaneous capture of facial and voice utterances as part of our “user aliveness” verification. This feature is contained in our Provisional Patent Application, filing dated 9, Nov. 2013 and on which this patent application is based.
In prior art, identification and authentication solutions, there is the mandatory requirement for the user to be physically present at a registration site or location for identity vetting prior to obtaining the user's biometric samples (be it fingerprints, facial profile, live video or voice print) or biographical data (name, address, passport number, etc). This is required because there is no other way to establish the identity of a new applicant. Such solutions tend to be not only inconvenient for customers but they also tend to be costly and ill-suited for wide scale deployment.
Vetting a client online as currently demanded by online service providers prior to obtaining the customers biometric samples has its vulnerabilities. A fraudster bent on stealing and using someone else's stolen identity documents could identify himself or herself online using someone else's real name, real passport number, real social security number or real driver's license number without being detected. When these stolen identities are checked against the records in any authoritative databases as part of the pre-registration vetting process, the information provided online by the fraudster will most likely be found to be accurate and the vetting process will then be declared successful. That means, the vetted person will be allowed to register using the information obtained from the stolen identity documents. Following successful vetting, the applicant will be able submit his real photograph and real biometric credential such as fingerprints, facial image, voiceprint, iris scans or retina scans to complete the online registration using someone else's name. Following successful registration, the imposter will be granted an online identity that can be authenticated using the collected biometric credentials. Therefore, in this particular identity theft scenario, the imposter will have successfully managed to establish an online identity by using someone else's identity documents which makes this a case of online identity theft. Accordingly, there is a need for an online fraudster-resistant identity vetting and validation process that cannot easily be taken advantage of by using someone else's stolen identity documents such as a driver's license and passport. The fraudster-resistant identity vetting and validation process must be able to determine to a reasonable degree of certainty the true identity of the user applying for registration prior to allowing the applicant to continue with the standard registration process that involves submitting biographical and biometric data online through the registration portal. Prior art identity vetting and validation method involves a physical visit by the applicant to a designated registration office such as a Bank branch or processing center where the identity documents can be inspected physically and visually by a trained registration agent. In this invention, the identity vetting and validation process is performed online to eliminate the inconvenience of having the customer to pay a physical visit to a registration office or center.
Based on the forgoing, it is clear that there is a need for an authentication and identification methodology and system that address many key issues that the current Biometric and Biographical methods have either partially addressed or have missed altogether. Thus, this invention addresses the need to implement a methodology that can be broadly deployed in networks and usable by a plurality of service providers, Specifically this invention addresses a) compliance to government regulations (such as Anti-Money Laundering, Counter Terrorism Financing, etc, b) ensuring that the individual online is who he/she claims to be, c) verifying that the user online is a living person and not a set of fake biometric data on a mobile device (ie the “aliveness” test), d) ensuring that the integrity and accuracy of the enrolment data on file used to authenticate a user is kept up to date and meets the “Fourth Data Protection Principle”, and e) verify that the biographical data being used for enrollment and authentication of the user is not stolen and being used fraudulently.